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The "impossibility proof" on unconditionally secure quantum bit commitment is critically ana- 
lyzed. Many possibilities for obtaining a secure bit commitment protocol are indicated, purely on 
the basis of two-way quantum communications, which are not covered by the impossibility proof 
formulation. They are classified under six new types of protocols, with security proofs for specific 
examples on four types. Reasons for some previously failed attempts at obtaining secure protocols 
are also indicated. 
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I. INTRODUCTION 

Bit commitment is a kind of a cryptographic protocol 
that can serve as a building block to achieve various cryp- 
tographic objectives, such as user authentication. There 
is a nearly universal acceptance of the general impossibil- 
ity of secure quantum bit commitment (QBC), taken to 
be a consequence of the Einstein-Podolsky-Rosen (EPR) 
type entanglement cheating which supposedly rules out 
QBC and other quantum protocols that have been pro- 
posed for various cryptographic objectives |l|. In a bit 
commitment scheme, one party, Adam, provides another 
party, Babe, with a piece of evidence that he has chosen 
a bit b (0 or 1) which is committed to her. Later, Adam 
would open the commitment by revealing the bit b to 
Babe and convincing her that it is indeed the committed 
bit with the evidence in her possession and whatever fur- 
ther evidence Adam then provides, which she can verify. 
The usual concrete example is for Adam to write down 
the bit on a piece of paper, which is then locked in a safe 
to be given to Babe, while keeping for himself the safe 
key that can be presented later to open the commitment. 
The scheme should be binding, i.e., after Babe receives 
her evidence corresponding to a given bit value, Adam 
should not be able to open a different one and convince 
Babe to accept it. It should also be concealing, i.e., Babe 
should not be able to tell from her evidence what the bit 
b is. Otherwise, either Adam or Babe would be able to 
cheat successfully. 

In standard cryptography, secure bit commitment is to 
be achieved either through a trusted third party, or by 
invoking an unproved assumption concerning the com- 
plexity of certain computational problems. By utilizing 
quantum effects, specifically the intrinsic uncertainty of 
a quantum state, various QBC schemes not involving a 
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third party have been proposed to be unconditionally se- 
cure, in the sense that neither Adam nor Babe could 
cheat with any significant probability of success as a mat- 
ter of physical laws. In 1995-1996, a supposedly general 
proof of the impossibility of unconditionally secure QBC, 
and the insecurity of previously proposed protocols, were 
presented Henceforth it has been generally ac- 

cepted that secure QBC and related objectives are im- 
possible as a matter of principle _ E3- 

There is basically just one impossibility proof (IP), 
which gives the EPR attacks for the cases of equal and 
unequal density operators that Babe has for the two dif- 
ferent bit values. The proof purports to show that if 
Babe's successful cheating probability Pf is close to the 
value 1/2, which is obtainable from pure guessing of the 
bit value, then Adam's successful cheating probability 
is close to the perfect value 1. This result is stronger 
than the mere impossibility of unconditional security, 
namely that it is impossible to have both P<f ~ 1/2 and 
P^ ~ 0. The impossibility proof describes the EPR at- 
tack on a specific type of protocols, and then argues that 
all possible QBC protocols are of this type. 

Typically, one would expect that a proof of impossi- 
bility of carrying out some thing X would show that any 
possible way of doing X would entail a feature that is log- 
ically contradictory to given principles , as , for example, 
in the cases of quantum no-cloning lL%ll4l and von Neu- 
mann's no- hidden- variable theorem [l5j. In the present 
case, one may expect a proof which shows, e.g., that any 
QBC protocol that is concealing is necessarily not bind- 
ing. It is important for this purpose that the QBC proto- 
col formulation be all-inclusive. In the absence of a proof 
that all possible QBC protocols have been included in 
its formulation, any impossibility proof is at best incom- 
plete. Thus, a priori, there can be no general impossi- 
bility proof without a mathematical characterization or 
a definition of all QBC protocols. Within the framework 
of two-way quantum communications between Adam and 
Babe with no further constraints, which is the setting of 
the IP and its EPR attack, no such definition has ever 
been presented. Although one can judge whether or not 
a specific protocol is a QBC protocol, similar to whether 
a specific process of computation is "algorithmic" or not, 
it appears prohibitively difficult to characterize mathe- 
matically all QBC protocols. Just as there is no Church- 
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Turing theorem, just a Church- Turing thesis, there can 
be no impossibility theorem without a mathematical def- 
inition of a QBC protocol. 

More concretely, there are many typces of QBC pro- 
tocols that are not captured by the IP formulation and 
differ from each other, similar to the existence of sev- 
eral types of algorithmic processes different from a Tur- 
ing machine. Some of these types were described by this 
author previously an d secure protocols can ac- 

tually be found among them. As those papers, and this 
one, should make clear, even if secure QBC were impossi- 
ble in all of these types, the impossibility proof for each of 
them would be different and would bear no resemblance 
to the well-known IP. These different types of protocols 
arise because only certain techniques of protocol design, 
such as certain use of classical randomness in a quantum 
protocol, are included in the IP formulation, which does 
not show that all possible techniques have been included. 
Even just for classical randomness, the different ways it 
could affect a QBC protocol are not properly accounted 
for. In this paper, a systematic description of some gaps 
in the IP, and the corresponding opportunity for six new 
protocol types, would be identified and elaborated upon. 
The original IP formulation would be named Type 0, 
with the new ones named Type 1 to Type 6. 

In Section^ the impossibility proof is reviewed and its 
scope delimited. The basis of previous incorrect claims 
on the security of several different QBC protocols would 
be discussed. See also Appendix A. In Section IIIII the 
incompleteness of the IP is analyzed from a variety of 
angles that lead to at least six different types of protocols 
not covered by the IP formulation. They are discussed 
in Section IIVI with security proofs given for QBC1 and 
QBC2. The security proofs for QBC4 and QBC5 are 
given in Refs. 0] and |20j|. 



II. THE IMPOSSIBILITY PROOF: TYPE 
PROTOCOLS 

The impossibility proof, in its claimed generality, has 
never been systematically spelled out in one place, but 
the essential ideas that constitute this proof are gener- 
ally agreed upon (3 _ E3- The formulation and the proof 
can be cast as follows. Adam and Babe have available 
to them two-way quantum communications that termi- 
nate in a finite number of exchanges, during which either 
party can perform any operation allowed by the laws of 
quantum physics, all processes ideally accomplished with 
no imperfection of any kind. During these exchanges, 
Adam would have committed a bit with associated evi- 
dence to Babe. It is argued that, at the end of the com- 
mitment phase, there is an entangled pure state l^b), 
b e {0, 1}, shared between Adam who possesses state 
space H A , and Babe who possesses Ti B . For example, 
if Adam sends Babe one of M possible states {|</>bi)} for 



bit b with probability p^ii then 

|$b) = VPb7l e >)l^) (1) 

i 

with orthonormal |e$) € H A and known \<f>u) £ TL B . 
Adam would open by making a measurement on TL A 1 
say {|ei)}, communicating to Babe his result io and b; 
then Babe would verify by measuring the corresponding 
projector \(t>bi Q ) {<t>bi \ on Tt B , accepting as correct only 
the result 1. More generally, one may consider the whole 
|$b) of Q as the state corresponding to the bit b, with 
Adam sending TL A to Babe upon opening, so she can 
verify by projection measurement on |$b)($b|. 

When classical random numbers known only to one 
party are used in the commitment, they are to be re- 
placed by corresponding quantum entanglement purifi- 
cation. The commitment of \<pbi) with probability pbi in 
is, in fact, an example of such purification. An ex- 
ample involving Babe may be a protocol (2l]]-[2i| where 
\4>bi) m O is to be obtained by Adam applying unitary 
operations Ubi on state \ipk) € H Bl sent to him by Babe 
with probability k € K, where \K\ < oo. Gener- 
ally, for any random k used by Babe, it is argued that 
from the doctrine of the "Church of the Larger Hilbcrt 
Space" it is to be replaced by the purification I*) 
mH B ®H B , 

I*)=£a/«*>I/*>, (2) 

k 

where \ipk) € H B and the \fk)' s are complete orthonor- 
mal in Ti. B kept by Babe while TL B would be sent to 
Adam. With such purification, it is claimed that any pro- 
tocol involving classical secret parameters would become 
quantum- mechanically determinate, i.e., the shared state 
|$b) at the end of commitment is completely known to 
both parties. Note that, from (J2J, this means that both 
{Afc} and {|/fe)} are taken to be known exactly to both 
Babe and Adam. The possibility that one can always 
purify a classically random situation as in has never 
been proved, especially how it may be combined with the 
following Q. It is elaborated later in this paper and in 
Ref. [20(, in connection with QBC1 and QBC5, that this 
is generally not possible. 

Why should Adam and Babe share a pure state at the 
end of commitment? Any measurement followed by a 
unitary operation Ui depending on the measurement re- 
sult I can be equivalently described by an overall unitary 
operator. Thus, if the orthonormal {|<?z)} on TC C2 is mea- 
sured with result I, and then U\ operates on Tt Cl , it is 
equivalent to the unitary operation 

u = Y / u ^\9i)(m\ (3) 

I 

on Tt Cl ®TL C2 . It is claimed that any actual measurement 
during commitment can be postponed until the opening 
and the verification phases of the protocol without af- 
fecting the protocol in any essential way. Actually, if 
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the measurement result is announced during commitment 
there is no need for © because the protocol state is just 
indexed by the measurement result I known to both par- 
ties. (With the delayed measurement description, the 
cheating and the opening would be quite involved and 
hard to describe when the possibility of aborting a pro- 
tocol is allowed. They have never been explicitly spelled 
out.) In order to maintain quantum determinacy, the ex- 
act {Iff;)} in © are taken to be known to both parties. 
Let us use k to denote Babe's secret parameter, and i 
to denote Adam's secret parameter, such as the i with 
probabilities {pi} in These crucial assumptions of 
openly known {p^, {A fc }, {|/fc)}, and {\gi)} are made in 
the impossibility proof through the use of known fixed 
quantum computers or quantum machines for data stor- 
age and processing by either party [3j , |(| , |£| Appendix] , 
even though the control of such machines belongs only 
to one of the parties. As it turns out, to cheat success- 
fully, Adam does not need to know {|<7z)} in a careful 
formulation and he does not need to know {|/fc)} in one 
general class of protocols [2^. However, he does need to 
know {|ifc)} in general, a fact which is exploited in our 
Type 4 protocols. The general possibility of such quan- 
tities being unknown or classically random to Adam is 
exploited in many of our protocols. A general limitation 
on the quantum purification of classical randomness is 
described in our discussion of Type 3 protocols in Sec- 
tion HE3 

Protocols of the form QJ, where {|0bi)} are just sent 
from Adam to Babe, will be called single-stage proto- 
cols. In a multiple-stage protocol, |</>t>i) becomes, for 
i = {ii, . . . . in} and k = {ki, . . . , k n -i} with 2n— 1 stages 
in total pj 

\fak)=U£ n ...U£ a Ulj l 1 U& 1 \<l> Q ). (4) 

The initial state \(f>o) is openly known, and the alternate 
possible unitary operations by Adam and Babe, together 
with their respective probabilities, are also taken to be 
openly known. If the action is initiated by Babe instead 
of Adam, © can be replaced by, for a 2n-stage protocol, 

\<hrik) = u£ n ...u? 1 \4> ). (5) 

Purification of the random f/'s is to be carried out as in 
©. Thus, a multi-stage protocol is equivalent to one of 
the form 

|*b)=5Hv5w^*l e *)l/fc>l^wfc>. (6) 

ik 

where {pti}, {A fc }, {\(f>bik)} are openly known, |e») S U A 
controlled by Adam, \fk) <G Ti Bl controlled by Babe, and 
\(/>bik) € is the evidence Babe possesses at the end 
of commitment. As in the case of quantum coin-tossing 
[24} formulation, in the IP the whole state space H B2 
is supposed to be passed on during each stage. As de- 
scribed later, this misses the nonuniqueness associated 



with passing back a portion of the space during commit- 
ment or opening, as in QBC1, and the problem of the 
very possibility of purification ©, as in QBC5. By writ- 
ing \(j) bi ) = Y, k V^k\fk)\(/>bik), @ is also of the form © 
with Ti B = H Bl <8> Ti. B2 , and a multi-stage protocol is 
claimed to be equivalent to a single-stage one. Indeed, it 
is alternatively argued that |$b) is always openly known 
at the end of commitment in any multi-stage protocol 
with the use of purification. Thus, it can always be rep- 
resented by (yi with all the quantities involved openly 
known. 

With such a formulation, Babe can try to identify the 
bit from p B , the marginal state of |<E>b) on TL B , by per- 
forming an optimal quantum measurement that yields 
the optimal cheating probability P B for her. Adam 
cheats by committing |$q) an d making a measurement 
on H A to open io and b — 1. His probability of successful 
cheating is computed through |$b)> his particular mea- 
surement, and Babe's verifying measurement; the one 
optimized over all of his possible actions will be denoted 
P A . For a fixed measurement basis, Adam's cheating 
can be described by a unitary operator U A on TL A . His 
general EPR attack goes as follows. If the protocol is 
perfectly concealing, i.e, P B — 1/2, then p B = pf . By 
writing |$b) as the Schmidt decomposition on H A ®7i B , 

\^)=J2Vpj\^)\4>j), (7) 
3 

where \<j>j) are the eigenvectors of p B and {|ebj)} for each 
b are complete orthonormal in Tt A , it follows that Adam 
can obtain |$i) from |$o) by a local cheating transfor- 
mation U A that brings {|eoj)} to {|eij)}. Thus his opti- 
mum cheating probability is P A = 1 in this case. More 
generally, when Babe checks |$b) on TL A ® Ti. B , Adam 
still just cheats by applying a local transformation U A 
to turn |$ ) to |$i), although the terminology of EPR 
attack then becomes somewhat misleading. 

For unconditional, rather than perfect, security, one 
demands that both cheating probabilities P B — 1/2 and 
P A can be made arbitarily small when a security param- 
eter n is increased Thus, unconditional security is 
quantitatively expressed as 

(US) limPf = - limP c A = 0. (8) 

n 2 n 

The condition © says that, for any e > 0, there exists 
an n such that for all n > no, P B — 1/2 < e and P A < 
e, to which we may refer as e- concealing and e-binding. 
These cheating probabilities are to be computed purely 
on the basis of logical and physical laws, and thus would 
survive any change in technology, including an increase 
in computational power. In general, one can write down 
explicitly 

P B = \{2 + \\ P B - P B \\i), (9) 
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where || • ||i is the trace norm, ||r||i = tr^r) 1 / 2 for a 
trace-class operator r, but the corresponding P A is more 
involved. However, it may be shown that it satisfies ^jj 

4(1 - P B f < P C A < 2y/P c B(l-PB). (10) 

The lower bound in (|ll)f) yields the following impossiblity 
result given by the IP, 

limPf = l => limP c A = l (11) 

within its formulation 0, . Condition JSJ or <|11[) is 

a continuity statement different from a point statement 
P B = 1/2 => P C A = 1. Note that the impossibility proof 
makes a stronger statement than the mere impossibility 
of (US), i.e., Ijlll) is stronger than (JSJ) not being possible. 

There have been quite a few incorrect claims on ob- 
taining US QBC protocols, both before and after the 
appearance of the IP. In particular, two of the various 
approaches that were pursued by the present author do 
not work for reasons associated with the IP (see Ap- 
pendix A for a summary). In the first case, also pro- 
posed in different forms by several others, simple use of 
classical randomness by Babe supposedly leads to dif- 
ferent cheating transformations for Adam dependent on 
such randomness, hence a binding protocol is obtained 
after averaging over such randomness that has to be car- 
ried out in evaluating P A . The purification (0) is not 
attended to, in view of the "equivalence" between clas- 
sical and quantum randomness via the "Church of the 
Larger Hilbert Space" doctrine. However, this doctrine, 
often used in the IP as in J5J, is incorrect. One simple 
way to see that is to observe if Adam does not entan- 
gle the classical randomness, e.g., if Adam sends \<j>t,i) 
with probability pt>i instead of Q , he cannot launch en- 
tanglement cheating though p B = pf still applies. Even 
when the entanglement purification has been carried out, 
is equivalent to classically random {l^fc)} only if the 
measurement of {|/fc)} is first performed on H B2 . Other- 
wise, the off-diagonal elements in p B involving | /&)(/&' | 
may lead to better P B in Babe's cheating measurement 
on H Bl (8 TL B2 , as compared to the case of purely clas- 
sically random {iV'fe)} with zero off-diagonal elements. 
As a specific example, consider the protocol preceding 
QBC5p discussed in the beginning of Ref. [2(| • It is per- 
fectly concealing if Babe does not entangle, but not if 
she does. Other examples not involving teleportation 
can also be given. Thus, there is no equivalence between 
classical randomness and quantum purification. It is the 
possibility of entanglement cheating by Babe, not Church 
of the Larger Hilbert Space, which dictates that 
is the correct representation in siuch a situation. Under 
such a stronger concealing condition, compared to just 
classically random {IV'/c)}, Adam may indeed cheat in 
accordance with IP, depending on the protocol. 

The second failed approach involves various attempts 
to turn a pure |$b) into a mixed one through Adam's ac- 
tion during the commitment phase before opening. The 



IP argues that a pure |$b) can always be maintained in 
principle via perfect quantum computation. While there 
is no mathematical formalization on this issue that may 
lead to a rigorous proof, my different attempts indeed 
lead to different countermeasures by Adam, and I do not 
see what next attempt to try in this approach that may 
appear to have a possibility of success. However, this 
strategy works on Babe's entanglement and leads to our 
QBC1. The reason is directly connected to the point 
of the last paragraph, namely that Babe's measurement 
on {|/fc)} first and then on H B2 can lead to a conceal- 
ing protocol even though there may be a measurement on 
TL Bl ®TL B2 with which Babe can cheat. Thus, Babe's en- 
tanglement may be effectively "destroyed" through, e.g., 
Adam's questioning during commitment. See the follow- 
ing discussions related to QBC1 in Sections ITTT1 and llVl 
for details. 



III. PROBLEMS OF THE IMPOSSIBILITY 
PROOF 

A plausible first reaction to the impossibility proof is: 
why are all possible QBC protocols covered by its formu- 
lation? More precisely, how may one capture mathemat- 
ically the necessary feature of an unconditionally secure 
QBC protocol in a precise definition that is required for 
the formulation and proof of a mathematical theorem 
that says such a protocol is impossible? No such def- 
inition is available. An analogy to a QBC protocol is 
an "effectively computable" function, a function whose 
value for any specific argument can be "mechanically" 
obtained in a finite number of steps without the inter- 
vention of "intelligence." The well-known Church- Turing 
thesis says that any effectively computable function can 
be computed recursively or by a Turing machine. It can 
be cast as an impossibility statement: there is no ef- 
fective procedure that cannot be simulated by a Turing 
machine. It was found that a function that can be com- 
puted by a method that is clearly effective, such as Post 
machines or Markov algorithms, is indeed also Turing- 
computable. However, nobody calls the Church- Turing 
thesis the Church- Turing theorem. This is because there 
is no mathematical definition of an effective procedure. 
The logical possibility is open that someday a procedure 
is found that is intuitively or even physically effective, but 
which can compute a nonrecursive arithmetical function. 

Thus, in the absence of a precise definition of a QBC 
protocol, one would have at best an "impossibility the- 
sis," not an impossibility theorem. (This view was em- 
phasized to the author by Masanao Ozawa.) It is of- 
ten difficult, if not impossible, to capture precisely by 
means of a mathematical characterization a given kind 
of physical operations that have unambiguous common- 
sense meaning. For example, there is no definition that 
would characterize all classical cryptographic protocols, 
say for bit commitment. It is at least not clear why a 
definition in the more general quantum case can ever be 



5 



found. Just as there appear to be many different forms of 
effective procedures, there are many different QBC pro- 
tocol types that appear not to be captured by the IP 
formulation. To uphold just the "impossibility thesis," 
one would need to prove that US QBC is impossible in 
each of these types. 

The problem of characterizing mathematically all QBC 
protocols, although quite difficult, does not seem to be 
as hopeless as that for an effectively computable func- 
tion, if one believes that "bit commitment protocol" is 
less ambiguous than "effective procedure," even though 
both concepts can presumably be recognized to be appli- 
cable or not when a particular instance is presented. In 
particular, the framework of two-way quantum commu- 
nication, or the Yao model [25j, without any constraints 
of relativity or superselection rules but with the possibil- 
ity of the protocol being aborted as a result of cheating 
detection before opening, is an appropriate general set- 
ting. (The Yao model allows actual measurements during 
rounds but is often interpreted Q to imply ©-© used in 
coin-tossing formulation. That would exclude the possi- 
bility of sending back only part of a product space, which 
is utilized in many of our US protocols.) ft is sometimes 
argued that every proof has to presuppose a "model," 
but the question is whether the model used in the IP is 
general enough to capture all clear-cut QBC protocols 
within the above framework. It is also sometimes argued 
that the "community of experts in the field" have already 
agreed on a "definition" of what constitutes a QBC pro- 
tocol, which would rule out some of our Type 3 proto- 
cols. But the question is why a clear-cut QBC protocol 
should be ruled out by legislation. Note that "defini- 
tion" in this context does not mean an arbitrary choice 
of terminology, but a mathematical characterization of 
all instances where the concept is applicable. Observe 
also that this characterization problem does not arise in 
security proofs, because one should be able to exhaust all 
possible types of attack given a specific protocol. 

The most important instances of incompleteness 
of the IP and quantum coin-tossing formulations, as 
presently understood by the author, are listed under 
four categories in the following. Some of these have 
been discussed previously |2l|. Some new 

protocol types made possible by such gaps are discussed 
in Section llVl 

a. Freedom of Operation — In a two-party situation 
where either one can do anything, constrained only by 
physical laws, and has only his/her own interest to pro- 
tect, neither can be trusted to be honest if an operation 
would lead to his/her advantage without penalty. On the 
other hand, a party is supposed to strive to achieve the 
aim of the protocol if his/her own security against cheat- 
ing by the other party can be assured. These obvious 
considerations are codified as the Libertarian Principle 
and the Intent Principle of protocol formation, further 
elaborated in Ref. Jl7|. The resulting freedom of action 
by either party is not accounted for in the QBC IP formu- 



lation, nor in the mathematical formulations of quantum 
coin-tossing protocols |24[ . 

• Honesty and Cheating — In a multi-stage protocol, 
where a state space is passed between Adam and 
Babe in rounds for operations, as 0-linjl, either 
party can substitute an entirely different space of 
his/her own at any stage. The possible advantage 
is clear in coin-tossing, and examples were given in 
Ref. |2^| on bit commitment. There is no mech- 
anism built into the protocol formulation to pre- 
vent such cheating. Fortunately, this problem can 
be alleviated in two different ways |20j including 
cheating detection and the possibility of aborting 
the protocol, with perhaps a penalty imposed on 
the party that got caught cheating with the use of 
an ensemble, as described in Ref. [2(j for QBC5. 
However, there is still a lot of freedom left which 
has not been accounted for, some to be discussed 
in the following points (c) and (d). 

• Random vs. Nonrandom Secret Parameters — Sup- 
pose a protocol has the property that it is con- 
cealing for every possible legal operation by Babe 
that can be checked as mentioned above. Then 
Babe is free to choose any such operation (or state) 
with whatever probability distribution unknown to 
Adam. This freedom, codified as the Secrecy Prin- 
ciple 0], E3; i s a simple corollary of the Liber- 
tarian Principle and the Intent Principle. It di- 
rectly contradicts the IP claim that a state is al- 
ways openly known at the end of commitment in a 
QBC protocol. One consequence of this freedom is 
that Adam's cheating transformations may depend 
on exactly what Babe's choice is in order to suc- 
ceed. Indeed, he may not even have a single density 
operator representation for each b due to the differ- 
ence between a random parameter and an unknown 
parameter, a distinction well-known in statistics. 
Our Type 3 and Type 6 protocols arise from this 
freedom, but no concrete protocol has been found 
in these types that can be proved unconditionally 
secure. On the other hand, with additional fea- 
tures one can construct secure protocols utilizing 
this freedom, as in our QBC1, QBC2, and QBC4. 

• Generalizations to Imperfect Operations — Since 
the final criterion in a QBC protocol involves prob- 
abilities only, every step and requirement can also 
be relaxed to a probabilistic, rather than a perfect 
deterministic, one. For example, the verifying mea- 
surement by Babe need not succeed with probabil- 
ity 1. However, it seems that the relaxation should 
go only so far as to the case where the probability 
is arbitrarily close to 1, as in other quantum and 
classical algorithms. Even though there is no proof 
to the contrary, there is no known case where this 
particular generalization would ever lead to a US 
QBC protocol. 
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b. Generality of Quantum Purification - Adam 
needs to entangle his possible actions in JJ[ or @ in 
order to launch an EPR attack as described in the IP. It 
has not been shown why all possible classically random 
elements in a protocol allow quantum entanglement 
purification. Indeed, when quantum teleportation in- 
volving one actual measurement among different possible 
spaces is utilized during commitment, as in the case of 
protocol QBC5 [2(j, there is no quantum purification. 
In a different way, this situation of no purification, or no 
unique purification as in QBC1, may also obtain when a 
random part of a tensor product space from one party is 
to be returned to the other party, which occurs in many 
of our US protocols. 

c. Different Commitment Possibilities Under 
this category one may consider almost all the restric- 
tions of the IP formulation that can be removed. A 
particularly important example is the possible use of 
multiple evidence state spaces. We have two separate 
secure protocols, QBC2 and QBC4, that exploit this 
possibility in different ways. Another example is the use 
of quantum teleportation in our QBC5. 

d. Nonuniqueness — There are various places in the 
IP where uniqueness of choice is implicitly assumed; oth- 
erwise the question would arise as to why a cheating 
transformation U A can be found which is successful for 
every possible choice. For example, the cheating proba- 
bility P A depends on Babe's verifying measurement. For 
an arbitrary protocol, the IP formulation does not, and in 
fact cannot, specify what the possible verifying measure- 
ments could be. There is no proof given that there cannot 
be more than one verifying measurement for which dif- 
ferent cheating transformations are needed. When such 
a situation occurs, Adam may not know which one to use 
for a successful cheating. However, this gap can be closed 
when the verifying measurements are perfect, i.e., the bit 
is verified with probability 1 from the measurement. 

A more serious situation occurs in the case of purifi- 
cation ©, when there is more than one way to purify a 
given classical random number. For example, the usual 
multi-stage formulation of QBC and coin tossing, exem- 
plified in Q-ljSj, carries the implicit assumption (and re- 
striction) that one fixed space is passed between the par- 
ties in the rounds. But there is great utility in splitting 
a classical or quantum correlated tensor product space 
for obtaining security. If a random sample of m out of n 
qubits are to be sent from the first party to the second 
after state modulation on the m qubits, the first party 
can pick any m of the n qubits and entangle/purify the 
result with unitary permutation operators among all the 
n qubits. Additional qubits apart from the n given ones 
can also be employed with proper permutation. As a re- 
sult, the m qubits that are sent back can be any m-subset 
of the original n qubits plus other auxiliary qubits. How- 
ever, the resulting |$b) of would be different for dif- 
ferent choices because the qubits have been individuated 



by their positions, and there is no single overall purifica- 
tion. Thus, there arises again the question of existence of 
a uniformly successful cheating U A if concealing obtains 
in each of the purifications. If the m qubits cannot be 
entangled, or if their entanglement cannot be maintained 
during the protocol, the possibility of uniform cheating 
U becomes the issue of the existence of irreducible resid- 
ual classical randomness in the protocol that is answered 
negatively in our following QBC1. 

IV. SIX NEW TYPES OF PROTOCOLS 

In this section we describe six different types of pro- 
tocols, together with specific examples for five of them, 
that are not covered by the IP for reasons expounded in 
the preceding section. For four protocols, namely QBC1, 
QBC2, QBC4, and QBC5, full unconditional security 
proofs are available. The situation for Type 3 and Type 
6 protocols is not certain. Together they should make 
clear the many possibilities that are open for developing 
US QBC protocols. All our protocols assume for simplic- 
ity that Adam opens perfectly, i.e., with probability one, 
for b = 0, as in the IP. 



A. Type 1 protocols — residual classical 
randomness 

Type 1 protocols are defined to be those in which there 
is inherent classical randomness that cannot be quantum- 
mechanically purified and maintained. This classical ran- 
domness is distinguished from that of a Type 3 protocol 
that arises from {Afe} and {|/fc)} randomness in (0). Our 
three-stage protocol QBC1 provides such an example and 
can be motivated as follows. It is possible to create pro- 
tocols that are clearly binding; the question becomes how 
to make them concealing. The main difficulty in this con- 
nection is Babe's entanglement (cheating) over the ran- 
dom choices. This, it turns out, can be prevented during 
cheating detection by Adam. Thus, the overall protocol 
becomes both concealing and binding. 

Consider a protocol in which Adam sends uq qubits to 
Babe, each randomly drawn from a set of BB84 states 
S = {|1>, |2>, |3>, |4», (1|3) = (2|4) = 0, <1|2) = (3|4) = 
l/y/2. Babe randomly picks one and sends it back to 
Adam, who modulates it by Uq = I or U\ = R v , the ro- 
tation by 7r on the great circle containing S, and commits 
it as evidence. He opens by telling Babe the state of each 
qubit, which she verifies, telling b = 1 if the one she sent 
was moved by R K . In a more complete protocol, Babe 
would check that Adam indeed sends her states from S, 
and Adam would check that Babe is sending back one 
of the qubits from him. This can be carried out cither 
in a classical game-theoretic formulation or through an 
ensemble approach described in Appendices A and B of 
Ref. [2(j. In any event, according to IP and all coin- 
tossing formulations, both parties are assumed honest 
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PROTOCOL QBC1 

(i) Adam sends Babe n qubits, each drawn at ran- 
dom from the set S of four BB84 states and 
named by its temporal position. 

(ii) Babe randomly selects n — no + 1 of them and 
sends them in a random order back to Adam, 
who asks Babe to reveal the names for n — no 
of them. After verifying them, he modulates the 
remaining qubit for Uo = I, Ui = R^. 

(iii) Adam opens by declaring b and the states of all 
the no remaining qubits; Babe checks by corre- 
sponding projective measurements. 



except that they can (and should) entangle all possibili- 
ties. 



The protocol is e-binding regardless of whether Babe 
entangles for the following reason: Adam has to know 
exactly which qubit Babe sent back in order to cheat suc- 
cessfully, regardless of whether or not he uses his initial 
entanglement, which may involve permutations among 
the no qubits. As just discussed in llllH . IP does not ap- 
ply because he does not know which qubit Babe sends 
back. He needs to turn by just the one qubit via 
U A that depends on exactly which qubit it is, i.e., on 
the exact way Babe chose to purify and/or the exact 
\fk) she will measure. But if Adam knows which qubit 
it is, he could just cheat by declaring a state appropri- 
ately different from the original one, e.g., if he sent |3) 
he could declare he sent |1) instead. Without knowing 
which qubit it is, let m(< n) qubits be turned by him, 
each by an amount that would be accepted as 1 with 
probability p < 1 by Babe upon her verification, while 
the other uq — m become a permutation of the original. 
(It can be shown that with his full entanglement, the best 
he can do is to turn a small fraction and re-permute the 
others, but this result is not needed for the present ar- 
gument.) Thus, his probability of successful cheating is 
(ro/no)p(l — p) m , the maximum of which over m can 
be made arbitrarily small for large no- 



If Babe does not entangle, this protocol is clearly per- 
fectly concealing. Since she may be able to cheat with 
permutation entanglement, Adam can defeat that as fol- 
lows. He sends her originally n ^ no qubits from which 
Babe returns n — uq + 1 qubits. Adam randomly asks 
Babe to reveal n — no of the returned qubits and check 
that they are indeed in states sent by him. The only 
entanglement Babe can employ is permutation among 
the qubits as she could not respond to Adam perfectly 
with additional entanglement. She may entangle a min- 
imum of two qubits at a time between one in the set of 
n — no + 1 elements she sends back to Adam and one in 
the set of no — 1 elements she keeps, in order to maxi- 
mize the probability that the last one retained by Adam 
remains entangled to at least one qubit in her possession 
for her entanglement cheating. The probability of hav- 
ing the entanglement surviving on the one remaining in 
Adam's possession is (no — 1 ) (no — n + 1 ) _ 1 , which can be 
made arbitrarily small. Hence, P B < h + e for any e and 
fixed no with large n. This use of n > no qubits gives 
Adam new possibility of entanglement, which he could 
not use under the protocol condition that he has to open 
the bit on the one remaining qubit whose name Babe 
knows and would verify upon. Thus, we have proved 
that the following protocol is e-concealing and e-binding. 



To recapitulate the logic of its success, this protocol al- 
lows many different purifications by Babe with different 
results |<I>b) and which may not be concealing, so Adam 
cannot cheat anyway. However, by checking an ensemble 
Adam can force Babe to measure and destroy her en- 
tanglement cheating possibility. The resulting protocol 
becomes a classically randomized one, in which Adam of 
course still cannot cheat. 



B. Type 2 protocols — bit- value dependent 
evidence state space 

As developed in Ref. 19], it is possible to have se- 
cure protocols for which the evidence state space H B in 
Tt A <S> T~t B , which is in Babe's possession at the end of 
commitment, depends on the bit b and becomes Ti B as 
it appears to Adam, but is indistinguishable for the two 
bit values to Babe. Type 2 protocols are defined to be 
those in which Babe sends Adam 7i B and Ti B which she 
does not need to entangle to her kept spaces although 
she may choose to. Adam returns 7i B to commit b while 
keeping the other space. It is distinguished from Type 4 
protocols that employ split entangled pairs to individuate 
Ti. B , and is easier to implement practically. 

Protocol QBC2 goes as follows. Let Babe send Adam 
two sets of named states So = {</>oi> • • • > 4>0n}i Si — 
{0n, . . . , <f>in}, each drawn randomly from the set 
S of four BB84 states on a qubit. Adam does not know 
and cannot determine perfectly what each state 4>bi is. To 
commit b, he sends back randomly one of 4>bi, revealing 
b and i at opening. In order to cheat, Babe has to dis- 
tinguish the two sets So and Si and then measure on the 
committed state. It is readily checked that this protocol 
is e-concealing for sufficiently large n, such that the four 
states in S appear in nearly equal fractions among So 
and Si, even if Babe entangles the states. One may im- 
pose the condition that each state in S appears equally 
often in So and Si, which yields perfect concealing if 
Babe does not entangle, but again only e-concealing if 
she does. Such a condition may be obtained, e.g., by 
sending in n sets of four randomly permuted states in- 
stead, with Adam picking one from a set. On the other 
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hand, Adam cannot cheat perfectly given that Babe does 
not entangle since that docs not really help her (or that 
she does but with {|/fc)} of J5J unknown to Adam; in the 
latter case it shares the feature of QBC4 0). For QBC2 
we just ake the case Babe does not entangle. If Adam 
entangles the <f>oi by way of permutations and commits 
a qubit H j or his own qubit Ho-, he could not change 
by local transformation the state in H i (or Ho) to any 
of those in Ha. That is, the state in H i (or Ho) is en- 
tangled with the states in Hoi wherever these states may 
go from local transformations. This is because of the 
invariance of the position of a qubit within So and S\ 
under entanglement that assures perfect b = opening. 
The IP does not apply because U A cannot be determined 
without knowing the state of the committed <frbi . See the 
following Section for further discussion. Let pa < 1 
be Adam's optimal cheating probability. As usual, this 
protocol QBC2.p can be extended to an e-binding one, 
QBC2, in an iV-sequence, making P A — p 1 ^ arbitrarily 
small. 



C. Type 3 protocols — anonymous states 

Type 3 protocols are defined to be those where conceal- 
ing is obtained for each of Babe's possible choices of {Afc} 
and/or {|/fc)} in (J2J) at any stage of the protocol. Each 
choice thereby results in an anonymous state on H^ ®Hg 
as it is unknown to Adam. To explain how such a situa- 
tion may arise in view of the purification J5J , observe that 
the unknown \ipk) without purification is merely replaced 
by the unknown {|/fc)} in @ even for known {Afc}. How 
would the other party, say Adam, know {|/fc)}? Babe 
can use any orthonormal {|/fc)} without affecting the 
protocol security, assuming that the protocol is perfectly 
concealing for any orthonormal {|/fc)}, as it usually is. 
The Secrecy Principle |18| mentioned above ensures that 
Adam cannot demand to know exactly what {|/fc)} Babe 
uses in any instance of the protocol execution. As a mat- 
ter of fact, in reality (J2J) may just be an abstract repre- 
sentation such that even Babe does not and cannot know 
{!/&)}, as for example when Babe generates the {IV'fc)} 
in a classically random fashion. It is clear that IP would 
not go through unless Adam's cheating transformation 
U A is independent of {\fk)}- This issue has not been 



examined in the literature, but a proof that such inde- 
pendence is obtained was given in Ref. |23j for protocols 
that do not involve what we call the switching of evidence 
state space that produces the {|/fc)} dependence on U A , 
or Babe's checking over the entire entangled Ubi\Q) upon 
verification that makes Theorem 3 of Ref. [23] inappli- 
cable. Moving the boundary to further entanglement on 
H c does not work because Adam cannot operate on Ha . 
Thus, the proof breaks down in general, and the above 
scenario of {|/fc)} dependence of U A with corresponding 
Ubil^) verification is carried out for the development of 
a secure protocol QBC4. 

In the early anonymous-state protocols 0, HE H3- 
the use of b-dependent evidence state spaces has not been 
discovered and it was thought that U A is always indepen- 
dent of {|//c)} in J5J), even though a proof is only avail- 
able for a special class of protocols describe by E/bil^) 
or Eq. (26) of Ref. 23]. Furtheremore, the use of split 
entangled pair verification on Ut,i\^} has also not been 
discovered, and a theorem was proved in Ref. that 
U A is independent of {Afc} in the perfect concealing case. 
The question then becomes whether the {Afc} freedom 
alone would yield a secure protocol in the e-concealing 
case. 

It is sometimes argued that such freedom cannot be 
automatized and thus cannot lead to a definite QBC pro- 
tocol. However, since each party can clearly keep its own 
secret mechanism of choosing the {Afc}, similar to other 
cases of a kept secret in cryptography, this kind of pro- 
tocols are perfectly well-defined QBC protocols. In this 
connection, one should avoid the confusion between a 
probability distribution {Afc} and a definitive \^>) of J5J, 
and between a random and an unknown parameter. See 
[T ^ - IT3 for further elaborations on these points. See also 
Ref. [26j for a general classification of many anonymous 
states protocols that, however, does not include our four 
protocols of this paper. 

Even if a theorem is proved with the purification (J2J 
for any {Afc} and a fixed {|/fc)} that says e-concealing 
for all {Afc} yields a good cheating U A independently of 
{Afc}, it does not apply to our QBC2 where no {|/fc)} is 
used (or equivalently U A needs to succeed for all {|/fc)}) 
in Adam's cheating. This is because with known {|/fc)}, 
Adam does not need to really switch the state from Sq to 
Si- Thus, our QBC2 protocol is a Type 3 protocol also if 
one observes that Babe can entangle the H^ states {|^fc)} 
with any Hp state {|/fc)} without affecting e-concealing, 
but the cheating U A depends on {|/fc)}. 



D. Type 4 protocols — split entangled pair to 
individuate evidence space 

The use of bit-value dependent evidence state space 
leads to e-concealing and e-binding protocol QBC2 de- 
scribed above. It is possible to obtain perfectly conceal- 
ing protocols when the evidence space is entangled by 
Babe, which is indistinguishable to Babe when presented 



PROTOCOL QBC2 

(i) Babe sends Adam two m-qubit sets of states, So 
and Si, each state randomly drawn from a fixed 
set S of four BB84 states. To commit b, Adam 
randomly picks N states, ICm, from Sb and 
sends them to Babe. 

(ii) Adam opens by revealing b and all the states he 
committed; Babe verifies by projective measure- 
ments. 
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to her b y A dam as committed evidence. This is described 
in Ref. [l!| for protocol QBC4. These two protocols, al- 
though relying on the same basic idea, illustrate in dif- 
ferent ways the diverse manifestation of b-dependent Ti^ 
and classical randomness in protocol design. 



E. Type 5 protocols — utilizing quantum 
teleportation 

Type 5 protocols are defined to be those where quan- 
tum teleportation is utilized during commitment. An 
example is a two-stage protocol in which Babe randomly 
sends an entangled pair to Adam, who uses it to tele- 
port a single possible state |b) for each b to one qubit 
and sends it to Babe at opening. The Bell measurement 
result is committed as evidence. If Babe does not or can- 
not entangle, it is readily seen that such a protocol is 
perfectly concealing, while Adam cannot cheat perfectly. 
If Babe entangles her choice, the protocol can be made 
e-concealing if Babe first sends in many qubit pairs. The 
resulting protocol QBC5p and its US extension QBC5 
are fully described in Ref. [2J}. the main reason for the 
failure of IP in this case is that Adam's measurement can- 
not be postponed to after commitment while the possible 
measurement results cannot be entangled as the actual 
reading is the committed evidence. 

F. Type 6 protocols — necessary condition on 
concealing or binding 

Once the freedom of operation is opened up, one may 
no longer assume that anything has to be known to both 
parties. For example, even in the original IP formula- 
tion, one may allow Adam to use different possible {pbi} 
in QJ. Thus, Babe has to decide on b by some strategy 
different from the one that assumes {pbi} are known. The 
issue of unknown versus random parameters enters again, 
which greatly complicates the situation. It is not clear 
how one may formulate necessary conditions for conceal- 
ing, or binding, that are needed to yield an impossibility 
proof that says if the necessary concealing (or binding) 
condition is satisfied, then the protocol cannot be bind- 
ing (or concealing). However, it is also not clear how to 
formulate a protocol this way that can be proved secure. 
We just reserve the name "Type 6 protocols" for this 
approach without an example. 

V. CONCLUDING REMARKS 

We have tried to explain and to dissect the various 
ways a QBC protocol can be designed, and to show the 
many possibilities that the "impossibility proof" formu- 
lation misses. Specifically, we list four categories of gaps 
and six types of new protocol formulations that exploit 
such gaps. In four of these types, there are protocols 



QBC1, QBC2, QBC4, and QBC5 that can be proved un- 
conditionally secure. This also solves the quantum coin- 
tossing problem, in which much work has been done as- 
suming secure quantum bit commitment is impossible. 
Also, one of our protocols, QBC2, can be readily imple- 
mented with coherent states and is close to being practi- 
cal even with the limited quantum memory and quantum 
communication capabilities we have at present. The chal- 
lenge remains to find fully practical, secure QBC schemes 
including system imperfections, as well as efficient ways 
to utilize them for various cryptographic objectives. 



APPENDIX A: PREVIOUS PROTOCOLS 

I discuss briefly here the security status of the proto- 
cols I previously proposed and claimed unconditionally 
secure. 

Protocol "QBC2" in Ref. 21], the only one claimed 
to be US there, is not proved perfectly concealing be- 
cause entanglement cheating by Babe is not accounted 
for. It was assumed to be the same as a classically ran- 
dom protocol. While a proof is not available, it appears 
that the protocol cannot be made perfectly concealing or 
e-concealing without allowing Adam to cheat, even with 
the modification described in Section 5 of Ref. 0] . 

Ref. is a preliminary version of Ref. [2^ , in which 
Type 3 protocols are introduced. However, the binding 
argument from no-cloning there is not valid. Thus, if 
Adam knows the (purified) anonymous state, the proto- 
col is insecure due to the fact that all perfectly verifying 
measurements under the IP formulation lead to insecure 
protocols against a single cheating U A , although that is 
a fact not proved in the IP itself. If Adam does not know 
the anonymous state, the situation is not yet completely 
resolved. However, it appears that Adam can probably 
cheat for operator-theoretic reasons on tensor product 
spaces, in this case as well as in QBC2.1p of v2 of this 
paper. 

Protocols "QBC1" in Ref. 16] and "QBC4" in 
Ref. ^3 > as wen as the preliminary version of Ref. [2l| , 
involve attemps to force Adam to measure on H A , thus 
effectively "destroyng" his entanglement. They fail as 
indicated in Section [HJ However, such an attempt can 
succeed when applied to destroy Babe's entanglement, 
in the sense discussed in this paper, which leads to our 
present QBC1 that was first briefly discussed in Ref. [l8| . 
The protocol "QBC2" in Ref. \jg and vl of this paper, 
which is a "Type 2" protocol of Ref. [3, protocl "QBC4" 
in vl of Ref. HJ, and protocol "QBC5" in vl of Ref. 
are all insecure because they can be brought into the form 
of a single |<I>b) so that IP and the results of Section III 
in Ref. |23J apply. 
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